What Is the Authority to Operate Process?

For federal agencies, obtaining Authorization to Operate (ATO) is often the bottleneck to deploying new software or major updates. These delays aren’t just frustrating—they can be dangerous, especially in high-stakes environments like the battlefield or in delivering vital public services. When emerging threats evolve faster than software is authorized, waiting isn’t just inefficient—it’s a liability. The federal government cannot afford disruption. Ongoing authorization tailored for continuous software delivery - continuous Authority to Operate (cATO) - is a game-changer. By linking speed, stability, and security, cATO enables agencies to stay ahead of threats, allowing for rapid, secure updates without the bureaucratic backlog of traditional reauthorization.

In this article, we’ll dive into the key elements of an ATO and continuous Authority to Operate checklist, outline the steps involved in the process, and explore how long it typically takes to secure an ATO.

What Is Authority to Operate?

Authorization to Operate, or ATO, is a formal process for verifying that a system’s functionality, security, and readiness meet the standards to deploy in a government environment. As Digital.gov notes, without an ATO, no one can “use, buy, or build software for the government.”

The challenge is that achieving an ATO typically involves a fairly lengthy and complex evaluation process that feels more like navigating a bureaucratic labyrinth than pursuing innovation. The goal is to identify and mitigate security risks and vulnerabilities, but capacity and skills deficits often cause delays. Yes, it’s necessary, but the traditional approach bogs down progress at a time when speed and security are both mission-critical.
Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.

What Is the ATO Process?

Obtaining an Authorization to Operate (ATO) involves a structured, but flexible process defined by the Risk Management Framework (RMF). We are often asked, “What are the ATO process steps?” It’s important to remember that ATOs are granted during the seven-step RMF process.

1. Prepare: Identify key roles, establish a risk management strategy, and determine a context and priorities for managing security and privacy risk for the organization and systems.
2. Categorize: Conduct an analysis of the impact of loss on the system and information it processes, stores, and transmits.
3. Select: Based on the categorization and risk assessment, select an initial set of security controls and tailor them as necessary to further reduce risk.
4. Implement: Apply selected controls and document their use on the system and within the operating environment.
5. Assess: Conduct an independent assessment of the implemented controls to verify their functionality and effectiveness in mitigating risks.
6. Authorize: The Authorizing Official (AO) reviews the assessment results and associated documentation, including, but not limited to, the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). The AO then determines whether the system can operate at an acceptable level of risk.
7. Monitoring: Conduct regular assessments, updates, and monitoring to ensure system compliance and address any emerging threats.

Note: This list is a high-level overview of the RMF process—multiple steps in each of these sections must be completed. More information is available by visiting NIST or when working with an experienced partner like Rise8.

An ATO indicates a system has passed a thorough evaluation and is authorized to operate within specified conditions for a specific period, typically three years. During this period, there is a requirement for ongoing monitoring to maintain system compliance. At the end of the period, the organization’s system must undergo a full reauthorization process.

Using an authority to operate checklist (or an authority to operate checklist template) can help you create a structured approach to obtaining an ATO with the seven-step RMF process and ensuring comprehensive security for information systems.

How Long Does the ATO Process Take?

The entire process from preparation to obtaining the ATO can range from six months to two years, with one year being a common duration. Factors such as the organization’s familiarity with the RMF process, the complexity of the system, and the efficiency of the assessment and authorization process can significantly impact the timeline.
There are two ways to reduce the amount of time between the design and deployment of crucial software projects:

1. Use an ATO checklist or checklist template, as described above; or
2. After achieving the initial ATO, leverage ongoing authorization tailored for continuous delivery or continuous Authority to Operate (cATO).

What Is continuous Authority to Operate?

cATO is the uncodified term used to describe a specific subset of ongoing authorization tailored for continuous software delivery. cATO is designed to integrate continuous monitoring and agile methodologies, ensuring that security and compliance are maintained in real-time as systems and software are developed and updated. This approach aligns with the Risk Management Framework but shifts the focus from periodic reauthorization to ongoing assessment and authorization.

What Are the Advantages of cATO?

The advantages of ongoing authorization include:

• Improved security posture and reduced risk.
• Increased transparency and trust.
• Reduced costs while increasing delivery of value to organizations and end-users.

Explore Rise8’s Next-Level cATO Playbook

Rise8 is spearheading initiatives to deliver software solutions 25x faster than traditional methods using Agile and DevOps principles and adhering to the Risk Management Framework. Our approach allows faster, more secure software delivery, ensuring systems remain compliant and resilient against evolving threats. Wondering what embracing cATO may look like for your organization? Explore our cATO Playbook. Learn more about our capabilities or reach out to get started today.